Ripples from the latest management shake-up at Microsoft are being felt throughout the all-important STU (Security Technology Unit).
Mike Nash, the corporate VP who guided Microsoft through some of its biggest security crises and led an aggressive effort to reshape the companys embarrassing image, is leaving his STU office and handing the keys to Windows Server veteran Ben Fathi.
Nashs exit ends a topsy-turvy tenure that coincided with the Blaster, Slammer and Sasser network worm attacks; the release of the security-centric Windows XP SP 2 (Service Pack 2) operating system makeover; the repairing of Microsofts relationship with hackers; and the latest Vista delay that is partly due to lingering security testing concerns.
The 43-year-old Nash, who joined Microsoft in 1991 and was the first product manager on the original Windows NT marketing team, is leaving for a preplanned sabbatical and will be reassigned to a new post, according to a staff memo distributed on March 23.
When Nash assumed the role as security head honcho, Microsoft was the laughing stock of hacking community. The company bluntly refused to acknowledge software flaw warnings and released patches on an ad-hoc schedule, infuriating IT managers who struggled with the testing and deployment of updates.
All that would change in 2003 after three separate Windows worm attacks—Slammer, Sobig and Blaster—crippled networks around the world, forcing Microsoft to do an overhaul of its security response process.
Nash, a hands-on executive who camped out in the MSRC (Microsoft Security Response Center) war room and barked instructions during worm outbreaks, also managed the mandatory implementation of the SDL (Security Development Lifecycle).
He was also in charge of the delivery of Windows XP SP2 to more than 260 million machines and the creation of a security response process that is the envy of all software vendors.
Along the way, there were hiccups—and product shipment delays—that rested on Nashs shoulders. Zero-day flaw warnings and the constant release of fixes for critical vulnerabilities continue to haunt Windows users and, as Nash himself admitted in a Slashdot Q&A, the company was slow to react to the spyware epidemic.
Next Page: Microsofts bumpy road to security.
Microsofts Bumpy Road to
Security”>
In fact, according to Nash, it took a visit to help clean up his grandma Estelles “massively infected” PC to trigger alarm bells.
“With that visit came the vision for Microsofts anti-spyware strategy and our focus on delivering an anti-spyware solution,” said Nash, who now travels with a 512MB memory stick that includes a copy of Windows SP 2, the latest beta of Windows Defender and the newest version the Malicious Software Removal Tool.
Under Nashs watch, Microsoft emerged as a player in the security market, using acquisitions and home-grown technologies to launch OneCare, a subscription-based PC care utility for home users. It also launched and enterprise-facing anti-spyware, anti-spam and anti-virus offerings.
Fathi takes over immediately, but Nash will stay on through June 1 to ease the transition.
Fathis directs are Kristin Johnsen, Rebecca Norlander, Dan Schiappa and George Stathakopoulos, a management team that faces the tough task of shipping Vista as Microsofts most secure operating system ever.
In a memo sent to STU staffers moments after the shake-up was announced, Fathi said his immediate priorities include the building of a trust ecosystem throughout the industry and the push to evangelize SDL internally and externally.
He called on his unit to focus on “delivering simplicity in security solutions so customers can adopt and deploy security with ease” and the creation of a “fundamentally secure platform in Windows Vista and beyond.”
Moving swiftly to quell speculation that Nashs exit was tied to the Vista delay, a company spokesman said the main focus is to ensure the new operating system meets the code quality bar and that it has done the required testing to ensure the product is of the highest quality before it is released to the market.
“Balancing security and usability is a challenge and Microsoft wants to make sure it gets it right. The timing decision is based on Microsoft internal testing, which is the largest penetration training in the world. Feedback from CTP and partners is very positive and Microsoft is confident when it releases Vista, it will be the best operating system its ever released,” the spokesman said in a statement sent to eWEEK.
Its now up to Fathi, the newly minted general manager of the STU to meet those lofty expectations. The 41-year-old, who most recently served as General Manager for Storage and High Availability in the Windows division, will run two security-focused development teams.
The first is the Security Protection Technologies team that creates technologies for anti-virus, anti-spyware and network security software, and the second is the Windows Security team that is responsible for core security features in Windows such as authentication, authorization and audit, RMS, and Bitlocker, as well as the long-term security architecture strategy.
Fathi, who joined Microsoft is 1998 after a stint at Silicon Graphics, will also lead the Security Engineering and Communications team and the Security Outreach team.